Written by: Guy Bakshi
This is the inaugural monthly edition of ‘Ask the DPO’. Our head of DPO Services, Guy Bakshi, looks at frequent questions that the DPO is asked.
What does it even mean to be a DPO? Isn’t the DPO a privacy lawyer? What’s the difference?
Being a DPO goes way beyond knowing privacy laws. Thinking about the clients we work with and why those engagements worked, we keep coming back to two basics:
Relationships. Building a privacy program without building real relationships is an uphill battle. To design something that actually accounts for your gaps, pain points, goals, and business needs, we need to get to know each other. The DPO has no interest in throwing templates at the client or answering questions with just “That’s the risk – you decide whether to take it.”
A DPO genuinely wants to improve the company’s privacy posture. That means intro meetings with product, legal, HR, sales, marketing, security, operations, customer success, and more – to understand the company’s needs and tailor the program specifically to it. The DPO is your colleague, not a consultant who parachutes in. The DPO is there to help the business grow. When you loop the DPO in early, you allow them to prepare properly.
Companies that take privacy seriously understand this: having a DPO as early as possible eliminates future struggles. And if you process personal data – who doesn’t? – there will be struggles.
Being active. The DPO’s job is to make the company’s life easier by using privacy as a competitive advantage, not a blocker. When asked to review a DPA (Data Processing Agreement), the DPO will do it – but will also flag that you can’t commit to keeping data in the EU because you’re already transferring data to a US vendor. The DPO knows that because the DPO knows your product and operations.
And a good DPO won’t stop there. They will proactively address that US vendor DPA to ensure you have a lawful transfer mechanism in place. They will make sure you have a DPA with your US parent company or subsidiary because the DPO knows they also receive EU data from you – and the exposure is significant (Google “Uber GDPR fine August 2024” if you want a concrete example). The DPO can reach out directly to HR when you receive a deletion request from a past job candidate and tell them exactly what needs to be done.
The DPO is there so that you’re not worried about privacy risks because they’re being managed.
